From military operations to healthcare, children’s toys to appliances, anything that accesses the internet and pulls data from it is considered part of the Internet of Things (IoT). How many 'Things' in your business or private life are part of the IoT? Have you even given a second thought to the security risks?Katie Williard of The Core Solution offers some food for thought if you have not thought too much about it before. Read her article here.https://www.thecoresolution.com/the-internet-of-things

Published by David McRaney in 2013, I found this article, Survivorship Bias, on the web while looking for information on a brilliant stats-mathematician by the name of Abraham Wald.

A five to ten minute read, I found the article fascinating with lots of food for thought - challenging what often appears axiomatic. To illustrate a point about survivorship bias, Wald comes into the picture because he was called upon to help determine where additional armour should be placed to increase the chances of WW II British and American bombers and their crews making it back to base after a bombing mission - missions that always included running the gauntlet of heavy anti-aircraft artillery and the consequent heavy loss of aircraft and life. The military examined planes that returned and documented where the most damage was. It looked like this:

Military commanders wanted to put the thicker protection where they could clearly see the most damage, where the holes clustered. Were they right? No. Read the article to find out why - and why it's time to review many of your obviously correct assumptions about so many things.

If a product has ISO 13485 certification, it means the product is of high quality, trustworthy, and reliable enough to be used as a medical device in any hospital / medical setting - correct?Does it also imply that its performance or effectiveness is proven too?

Here is my reply...

Remember, it is the organisation, not the product, that is certified. Once the organisation is certified, all product should be manufactured following due process according to the quality management system as laid out in the Quality Manual.

For me, if a medical device manufacturer does not have ISO 13485 certification then they do not warrant a second look. ISO 13485 should be the first requirement for supplier qualification, but certainly NOT the only requirement.

Having ISO 13485 merely gets a manufacturer to first base. It is not a home run. The customer needs to do due diligence to ensure the medical device truly meets all requirements that are critical to quality for their use including, if appropriate, satisfactorily passing a supplier (2nd party) audit.

I was asked this question by an environmental engineer who lives and works in a developing country outside of North America and the EU. Here is my response with changes where necessary to preserve anonymity.

Thank you for your query.

I don’t want to over-complicate this and I am not sure how much you already know about auditing. I think it will be safest to proceed as if you do not know much even though, as an environmental engineer, you probably already know quite a lot.

There are 3 types of audit event.

Type 1 (or first party) audits are internal audits conducted by an organisation to assess its own compliance with regulations and conformity to standards.

Type 3 (or third party) audits are audits conducted at an organisation by a qualified, external auditor sent by an accredited ‘Certified Body’ of auditors at the request of the organisation. The purpose of a third party audit is to certify (or not) that an organisation has in place a management system that conforms effectively to one or more standards such as ISO 14001 (environmental) or ISO 9001 (quality). The certified body will issue a certificate of conformity upon a successful audit. Such certification audits are usually conducted every three years with a ‘surveillance audit’ annually in the intervening years. Third party auditors must undergo training, typically 4 or 5 days, and then observe a certain number of audit days (usually without remuneration) before being qualified to conduct third party audits themselves.

Type 2 (or second party) audits are audits conducted by a customer (actual or potential) upon a supplier (actual or potential) to determine whether the supplier meets prerequisite requirements that the customer judges to be reliable predictors of future satisfaction. Such customers typically have their own process for approving suppliers prior to placing large or important orders. Some customers waive or reduce the scope of second party audits if the supplier has certification to a standard such as ISO 9001.

People who are 3rd party auditors have almost always begun their auditing career as an internal (1st party) auditor in an organisation that has a particular certification such as ISO 9001 or ISO 14001. There they would have been trained in the standards to which their organisation has been certified, and trained to do internal auditing as a lead auditor. However, internal auditors do not have to be employees of the company they are auditing – they could be contractors. In your case, your company could send you on a training course for ISO 14001 (2 or 3 days) followed by lead auditor training (2 days). They could then offer to do internal audits as a service to its clients. It’s worth thinking about. If I were you I would want to observe or assist on the team on one or two audits prior to conducting an audit as a lead auditor. Additionally, you could conduct an internal audit at your employer with a view to providing a gap analysis.

I Googled “ISO 14001 training in <your country>” and see there are a few companies that offer lead auditor training, which is what you would want to do.

9.3.2 e) Effectiveness of actions addressing risks/opportunities.Anyone care to share how you measure and review the effectiveness of these actions?

So here is my short answer to this question: use Key Performance Indicators (KPIs).

Hopefully you have done something like a SWOT analysis in order to meet the requirements for6.1 Actions to address risks and opportunities.

SWOT Analysis Chart

Then, following on from that, you would also have some kind of strategic plan for maximising or leveraging strengths and opportunities, and mitigating, minimising or forestalling weaknesses and threats identified in your SWOT analysis. Out of that, again, you would have goals and objectives measurable with Key Performance Indicators (KPIs).

A prerequisite of any successful 6-Sigma DMAIC project is that the project be aligned with the strategic vision, goals and objectives of the organization.

What comes before the 'Define' phase is the selection of the most appropriate project to take the organization along that road.

Project proposals will define the problems at a high level: why is this a problem?If your organization does not have explicitly formulated goals and objectives aligned with a strategic vision, then you do not have the maturity to run a 6-Sigma project.

Yes - This is the wrong reason because if this is what is driving your organisation to seek ISO 9001 certification you are in for a rough ride. This is one of the reasons why ISO gets a bad rap from companies: both management and staff.

You cannot decrease costs by focusing on the costs: decreased costs are a by-product of quality and productivity. "Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease costs." - W. E. Deming